Re: [Openvpn-devel] build against openssl 1.1.0

[Hubert Kario]

On Friday, 17 February 2017 18:18:27 CEST David Sommerseth wrote:
> On 17/02/17 17:35, Emmanuel Deloget wrote:
> > I understand that I'm the new guy in town, but can you allow me to
> > make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
> > require at least version 1.0.2?
> 
> So to the RHEL releases and the OpenSSL versions.  RHEL 5 ships with
> openssl-0.9.8e.  Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e.
> 
> The way Red Hat releases works is that versions are close to never
> rebased, at least not core libraries such as OpenSSL. 

Both core libraries and non-core libraries are rebased in RHEL. Case in point, 
RHEL 6 originally shipped with openssl-1.0.0[1].
But rebases to releases that are ABI incompatible happen only to packages that 
are explicitly excluded[2] from ABI guarantee. OpenSSL is not one of such 
packages. For obvious reasons, I hope.

> But Red Hat
> employs a lot of users to ensure all packages they distribute is secure
> and maintained.  That means that security and important bug fixes will
> be backported from newer OpenSSL releases to the openssl-1.0.1e
> baseline.  And this happens for the whole life cycle of each major release.

Correct[3].

> Sometimes even features are backported as well.

Unfortunately because RHEL-6 is currently in Production Phase 2, soon entering 
Phase 3, providing new feature like openssl-1.0.2 would be an exception[4].

> But I have gotten
> fairly clear signals that TLSv1.3 from openssl-1.1 will not be
> backported, as the code has changed too much since the 1.0.1 baseline.
> But I would be surprised if a future RHEL 8 does not ship with openssl-1.1.x

Well, openssl-1.1.0 is already available for Fedora rawhide :)

(Hope I don't sound too much like a markedroid, but I appreciate the support 
for RHEL you provide so I wanted to let you know exactly where everything is, 
the least I can do)

 1 - http://vault.centos.org/6.0/os/x86_64/Packages/
openssl-1.0.0-4.el6.x86_64.rpm
 2 - https://access.redhat.com/articles/rhel-abi-compatibility
 3 - https://access.redhat.com/security/updates/backporting
 4 - https://access.redhat.com/support/policy/updates/errata
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Илья Шипицин]

2017-02-19 9:48 GMT+05:00 Илья Шипицин :

>
>
> 2017-02-19 4:16 GMT+05:00 David Sommerseth  topphemmelig.net>:
>
>> On 18/02/17 08:34, Илья Шипицин wrote:
>> > I added openssl-1.0.1e to test matrix (do not pay attention to
>> > commit title, it happened accidently from iPad), so ...
>> >
>> > https://travis-ci.org/OpenVPN/openvpn/jobs/202709493
>> >
>> > t_cltsrv.sh + openssl-1.0.1f  = OK
>> > t_cltsrv.sh + openssl-1.0.1e = FAIL
>>
>> Okay, lets get a few important details straight first.  When I spoke
>> about openssl-1.0.1e, it was in an RHEL context (including CentOS and
>> Scientific Linux).  In reality, that is not the same version as OpenSSL
>> upstream 1.0.1e.  Red Hat employs people to backport bugfixes and
>> security fixes from newer OpenSSL 1.0.x releases to 1.0.1e. So the
>> OpenSSL _baseline_ is 1.0.1e [1].  But it must not be compared directly
>> against v1.0.1e from openssl.org.  The baseline defines a /stable ABI/
>> (Application Binary Interface) which applications linking against the
>> library can rely on.  This is what makes RHEL and the clones so stable
>> over 7-10++ years.  And this is the challenge backporters in Red Hat
>> struggle with; not breaking applications which works.
>>
>> So unless I have misunderstood your travis commit ... you set the
>> version to 1.0.1e regardless of Linux distribution.  This itself does
>> not provide any real value for us.  As there are a lot of bugfixes and
>> security implemented in the OpenSSL package RHEL ships ... you can get
>> an idea by looking at the changelog of the openssl RPM package:
>> > 8fd69f148538c635dd990d6/SPECS!openssl.spec#L642>
>>
>> RHEL6 was released in May 2010 while RHEL7 in June 2014.  What you see
>> above is the changelog for RHEL7.  If my count is correct, that is
>> currently 127 patches *on top of* the upstream OpenSSL v1.0.1e.  I
>> wouldn't expect this patch list to be much longer on RHEL 6 though.
>>
>> So unless your travis script is clever enough to only test OpenSSL
>> v1.0.1e on RHEL, CentOS or ScientificLinux *or* build OpenSSL using the
>> CentOS source RPM ... then I am not surprised things may fail.  Red Hat
>> may very well have fixed some bugs which we're hitting.
>>
>
>
> well, RedHat not only ship their very own openssl, but also their own
> openvpn package
>
> https://dl.fedoraproject.org/pub/epel/7/SRPMS/o/
>
> I see, there's %check section, but it is commented. Not sure how thay test
> it. We should get in touch with redhat people if we want openvpn properly
> tested and packaged
>
> I'll have a look at 'make check' under centos later
>

make check

is ok under CentOS 7 (it is shipped with openssl-1.0.1e)


>
>
>>
>>
>> --
>> kind regards,
>>
>> David Sommerseth
>> OpenVPN Technologies, Inc
>>
>>
>>
>>
>> [1] The reason is that all the _baseline_ packages in major RHEL
>> releases are certified against a lot of hardware (IBM, HP, Dell,
>> EMC, NetApp, etc, etc) and third party software (SAP, Oracle, etc,
>> etc).  So rebasing is out of question, as that requires new, time
>> consuming and expensive re-certifications.  Which is why you
>> extremely seldom see version updates on packages.  Those few times
>> that happens, it is usually considered to not break any important
>> certifications.  Like, a SAP server installation probably don't
>> have any dependencies against the GNOME 3 packages.
>>
>>
>>
>>
>>
>>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[David Sommerseth]

On 13/02/17 21:16, David Sommerseth wrote:
> On 13/02/17 20:50, Christian Hesse wrote:
>> And a lot more has to be done... There's a long list of packages to be
>> fixed. Sadly openssl developers do not care about ABI and API stability
>> or compatibility. :(
> 
> I do understand the frustration ... but lets be fair too.  OpenSSL v1.1
> is considered a major upgrade from v1.0 and they don't guarantee API/ABI
> stability across major upgrades.
> 
> And the v1.1 API does indeed try to clean up a lot of the API mess and
> confusions.  So it is a move in the right direction.  I attended an
> OpenSSL v1.1 talk at devconf.cz in the end of January this year, I'll
> try to dig up the slides from Tomas Mraz who had the talk.  It was quite
> informative why it was needed to break several APIs in v1.1.

Finally!

Here's a video of the presentation:



-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Christian Hesse]

David Sommerseth  on Sat, 2017/02/18 02:52:
> On 17/02/17 22:59, Emmanuel Deloget wrote:
> > I'm not targetting 2.4 -- my work is done on the current master. Adding
> > hundreds of lines to the current 2.4 for the purpose of supporting a
> > library which is not yet present on the user systems does not make much
> > sense :)  
> 
> Currently, master and release/2.4 are fairly close ... so it shouldn't
> be too hard to cherry-pick stuff from master (which we usually prefer to
> do).
> 
> With that said ... I know Fedora have OpenSSL v1.1 support on their wish
> list for for OpenVPN [1] and I believe Arch Linux guys have also been
> asking about this too.  So the more leading edge distros are moving
> towards OpenSSL v1.1 as fast as possible

Arch Linux guy started this thread. ;)

Would be great to have openssl 1.1.0 support in master soon. Maintaining
backported patches downstream should not be a problem.

From my point of view having support for openssl 1.1.0 in release/2.4 would
be even better to minimize packaging workload.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpTx8wUzeaW0.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Gert Doering]

Hi,

On Sun, Feb 19, 2017 at 04:12:02PM +0100, David Sommerseth wrote:
> But things may change again.  I heard recently that Red Hat is migrating
> over to OpenVPN as the only internal IT supported VPN solution.  So
> about 10k employees will soon depend on OpenVPN for their daily VPN
> need.  We will see when RHEL 8 gets released :)

Interesting times!

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[David Sommerseth]

On 19/02/17 05:48, Илья Шипицин wrote:
> 
> 
> 2017-02-19 4:16 GMT+05:00 David Sommerseth
>  >:
> 
> On 18/02/17 08:34, Илья Шипицин wrote:
> > I added openssl-1.0.1e to test matrix (do not pay attention to
> > commit title, it happened accidently from iPad), so ...
> >
> > https://travis-ci.org/OpenVPN/openvpn/jobs/202709493
> 
> >
> > t_cltsrv.sh + openssl-1.0.1f  = OK
> > t_cltsrv.sh + openssl-1.0.1e = FAIL
> 
> Okay, lets get a few important details straight first.  When I spoke
> about openssl-1.0.1e, it was in an RHEL context (including CentOS and
> Scientific Linux).  In reality, that is not the same version as OpenSSL
> upstream 1.0.1e.  Red Hat employs people to backport bugfixes and
> security fixes from newer OpenSSL 1.0.x releases to 1.0.1e. So the
> OpenSSL _baseline_ is 1.0.1e [1].  But it must not be compared directly
> against v1.0.1e from openssl.org .  The baseline
> defines a /stable ABI/
> (Application Binary Interface) which applications linking against the
> library can rely on.  This is what makes RHEL and the clones so stable
> over 7-10++ years.  And this is the challenge backporters in Red Hat
> struggle with; not breaking applications which works.
> 
> So unless I have misunderstood your travis commit ... you set the
> version to 1.0.1e regardless of Linux distribution.  This itself does
> not provide any real value for us.  As there are a lot of bugfixes and
> security implemented in the OpenSSL package RHEL ships ... you can get
> an idea by looking at the changelog of the openssl RPM package:
> 
>  
> >
> 
> RHEL6 was released in May 2010 while RHEL7 in June 2014.  What you see
> above is the changelog for RHEL7.  If my count is correct, that is
> currently 127 patches *on top of* the upstream OpenSSL v1.0.1e.  I
> wouldn't expect this patch list to be much longer on RHEL 6 though.
> 
> So unless your travis script is clever enough to only test OpenSSL
> v1.0.1e on RHEL, CentOS or ScientificLinux *or* build OpenSSL using the
> CentOS source RPM ... then I am not surprised things may fail.  Red Hat
> may very well have fixed some bugs which we're hitting.
> 
> 
> 
> well, RedHat not only ship their very own openssl, but also their own
> openvpn package
> 
> https://dl.fedoraproject.org/pub/epel/7/SRPMS/o/

The Fedora EPEL packages are not really Red Hat (even though many Red
Hatters maintain EPEL packages).  The difference is, EPEL packages are
unsupported by Red Hat's support plans.  Packages coming from the
official Red Hat source repositories (which CentOS "clones"), are fully
supported by their support plans.

> I see, there's %check section, but it is commented. Not sure how thay
> test it. We should get in touch with redhat people if we want openvpn
> properly tested and packaged

OpenVPN is not tested by Red Hat.  Official packages by Red Hat (from
the proper RHEL repositories) go through a massive QE process, with
loads of automated regression testing, specially written for each
distributed package.  All bugzillas tied to a package gets its own test
case written and is explicitly tested.  Then the package is installed,
uninstalled, upgraded and downgraded on systems which tries to simulate
a production environment.  And I've probably forgotten a bunch of other
steps as well.

> I'll have a look at 'make check' under centos later

You won't find any explicit OpenVPN package in the CentOS 6 or later
repositories.  You will find el5 packages though, as OpenVPN was an
official package in RHEL5 (but that is 2.1_rc-something, IIRC)

As of RHEL 6, Red Hat removed OpenVPN from the official repositories and
decided users needing it should use Fedora EPEL for it.  The reasoning
is probably to cost related.  Otherwise they need to allocate at least
on person to be the package maintainer, plus the QE and release
management machinery.  If few Enterprise customers depend on OpenVPN for
their critical workloads, it probably wasn't worth the cost.  In
addition they might have looked at the stability and the amount of
security related issues in OpenVPN over many years (which are quite good!)

But things may change again.  I heard recently that Red Hat is migrating
over to OpenVPN as the only internal IT supported VPN solution.  So
about 10k employees will soon depend on OpenVPN for their daily VPN
need.  We will see when RHEL 8 gets released :)


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] build against openssl 1.1.0

[Илья Шипицин]

2017-02-19 4:16 GMT+05:00 David Sommerseth <
open...@sf.lists.topphemmelig.net>:

> On 18/02/17 08:34, Илья Шипицин wrote:
> > I added openssl-1.0.1e to test matrix (do not pay attention to
> > commit title, it happened accidently from iPad), so ...
> >
> > https://travis-ci.org/OpenVPN/openvpn/jobs/202709493
> >
> > t_cltsrv.sh + openssl-1.0.1f  = OK
> > t_cltsrv.sh + openssl-1.0.1e = FAIL
>
> Okay, lets get a few important details straight first.  When I spoke
> about openssl-1.0.1e, it was in an RHEL context (including CentOS and
> Scientific Linux).  In reality, that is not the same version as OpenSSL
> upstream 1.0.1e.  Red Hat employs people to backport bugfixes and
> security fixes from newer OpenSSL 1.0.x releases to 1.0.1e. So the
> OpenSSL _baseline_ is 1.0.1e [1].  But it must not be compared directly
> against v1.0.1e from openssl.org.  The baseline defines a /stable ABI/
> (Application Binary Interface) which applications linking against the
> library can rely on.  This is what makes RHEL and the clones so stable
> over 7-10++ years.  And this is the challenge backporters in Red Hat
> struggle with; not breaking applications which works.
>
> So unless I have misunderstood your travis commit ... you set the
> version to 1.0.1e regardless of Linux distribution.  This itself does
> not provide any real value for us.  As there are a lot of bugfixes and
> security implemented in the OpenSSL package RHEL ships ... you can get
> an idea by looking at the changelog of the openssl RPM package:
>  635dd990d6/SPECS!openssl.spec#L642>
>
> RHEL6 was released in May 2010 while RHEL7 in June 2014.  What you see
> above is the changelog for RHEL7.  If my count is correct, that is
> currently 127 patches *on top of* the upstream OpenSSL v1.0.1e.  I
> wouldn't expect this patch list to be much longer on RHEL 6 though.
>
> So unless your travis script is clever enough to only test OpenSSL
> v1.0.1e on RHEL, CentOS or ScientificLinux *or* build OpenSSL using the
> CentOS source RPM ... then I am not surprised things may fail.  Red Hat
> may very well have fixed some bugs which we're hitting.
>


well, RedHat not only ship their very own openssl, but also their own
openvpn package

https://dl.fedoraproject.org/pub/epel/7/SRPMS/o/

I see, there's %check section, but it is commented. Not sure how thay test
it. We should get in touch with redhat people if we want openvpn properly
tested and packaged

I'll have a look at 'make check' under centos later


>
>
> --
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
>
>
>
> [1] The reason is that all the _baseline_ packages in major RHEL
> releases are certified against a lot of hardware (IBM, HP, Dell,
> EMC, NetApp, etc, etc) and third party software (SAP, Oracle, etc,
> etc).  So rebasing is out of question, as that requires new, time
> consuming and expensive re-certifications.  Which is why you
> extremely seldom see version updates on packages.  Those few times
> that happens, it is usually considered to not break any important
> certifications.  Like, a SAP server installation probably don't
> have any dependencies against the GNOME 3 packages.
>
>
>
>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[David Sommerseth]

On 18/02/17 08:34, Илья Шипицин wrote:
> I added openssl-1.0.1e to test matrix (do not pay attention to
> commit title, it happened accidently from iPad), so ...
> 
> https://travis-ci.org/OpenVPN/openvpn/jobs/202709493
> 
> t_cltsrv.sh + openssl-1.0.1f  = OK
> t_cltsrv.sh + openssl-1.0.1e = FAIL

Okay, lets get a few important details straight first.  When I spoke
about openssl-1.0.1e, it was in an RHEL context (including CentOS and
Scientific Linux).  In reality, that is not the same version as OpenSSL
upstream 1.0.1e.  Red Hat employs people to backport bugfixes and
security fixes from newer OpenSSL 1.0.x releases to 1.0.1e. So the
OpenSSL _baseline_ is 1.0.1e [1].  But it must not be compared directly
against v1.0.1e from openssl.org.  The baseline defines a /stable ABI/
(Application Binary Interface) which applications linking against the
library can rely on.  This is what makes RHEL and the clones so stable
over 7-10++ years.  And this is the challenge backporters in Red Hat
struggle with; not breaking applications which works.

So unless I have misunderstood your travis commit ... you set the
version to 1.0.1e regardless of Linux distribution.  This itself does
not provide any real value for us.  As there are a lot of bugfixes and
security implemented in the OpenSSL package RHEL ships ... you can get
an idea by looking at the changelog of the openssl RPM package:


RHEL6 was released in May 2010 while RHEL7 in June 2014.  What you see
above is the changelog for RHEL7.  If my count is correct, that is
currently 127 patches *on top of* the upstream OpenSSL v1.0.1e.  I
wouldn't expect this patch list to be much longer on RHEL 6 though.

So unless your travis script is clever enough to only test OpenSSL
v1.0.1e on RHEL, CentOS or ScientificLinux *or* build OpenSSL using the
CentOS source RPM ... then I am not surprised things may fail.  Red Hat
may very well have fixed some bugs which we're hitting.


--
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




[1] The reason is that all the _baseline_ packages in major RHEL
releases are certified against a lot of hardware (IBM, HP, Dell,
EMC, NetApp, etc, etc) and third party software (SAP, Oracle, etc,
etc).  So rebasing is out of question, as that requires new, time
consuming and expensive re-certifications.  Which is why you
extremely seldom see version updates on packages.  Those few times
that happens, it is usually considered to not break any important
certifications.  Like, a SAP server installation probably don't
have any dependencies against the GNOME 3 packages.







signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Илья Шипицин]

2017-02-17 23:17 GMT+05:00 Илья Шипицин :

>
> Пт, 17 февр. 2017 г. в 22:21, David Sommerseth  topphemmelig.net>:
>
>> On 17/02/17 17:35, Emmanuel Deloget wrote:
>> >
>> > Now, I have a question which is related to this. The way I'm doing
>> > things, I will make sure that the new code is compatible with both
>> > OpenSSL 1.0.x and OpenSSL 1.1. There is a good chance that it will be
>> > compatible with version 0.9.8 as well, yet I can't stop wondering if
>> > this is a good thing. OpenSSL 0.9.8 has been EoL'ed 12 month ago and I
>> > believe it's OK to let it die. OpenVPN cannot rely on a dead SSL
>> > library -- unless it wants to make sure that future vulnerabilities in
>> > this old, deprecated version will affect it (and I'm not sure it's a
>> > good thing). Same goes for OpenSSL 1.0.1 which has been declared out
>> > of support in January 2017.
>>
>> TL;DR: You can drop support for OpenSSL v1.0.1d and older, but we must
>> support v1.0.1e until at least June 30, 2024.
>
>
>
>
> I added openssl-1.0.1e to test matrix (do not pay attention to commit
> title, it happened accidently from iPad), so ...
>
> https://travis-ci.org/OpenVPN/openvpn/jobs/202709493
>
>
t_cltsrv.sh + openssl-1.0.1f  = OK
t_cltsrv.sh + openssl-1.0.1e = FAIL


>
>
>
>
>>
>>
>> And now to why 
>>
>> One thing is what the upstream OpenSSL supports or not.  But there are
>> commercial Linux vendors which maintains versions after upstream drops
>> the support.  The most obvious Linux vendor here is Red Hat.
>>
>> We have had a policy that the oldest Linux distribution we support is
>> what Red Hat officially supports [1].  We do not consider the "extended
>> support" scenarios, as that is services customers needs to pay extra for
>> (and is quite costly, AFAIR).  Currently, RHEL 5 (Red Hat Enterprise
>> Linux 5) is the oldest supported distribution, so that is what we
>> support.  But that support expires March 31, 2017.  So as of April 1st,
>> 2017 RHEL 6 is the oldest distribution we support.
>>
>> With that said.  Since we released OpenVPN v2.4 fairly recently (late
>> December), we have not considered or planned for a long-term RHEL 5
>> support for that distribution, as that is going EOL very soon.
>>
>> [1]
>> > #Life_Cycle_Dates>
>>
>>
>> > I understand that I'm the new guy in town, but can you allow me to
>> > make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
>> > require at least version 1.0.2?
>>
>> So to the RHEL releases and the OpenSSL versions.  RHEL 5 ships with
>> openssl-0.9.8e.  Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e.
>>
>> The way Red Hat releases works is that versions are close to never
>> rebased, at least not core libraries such as OpenSSL.  But Red Hat
>> employs a lot of users to ensure all packages they distribute is secure
>> and maintained.  That means that security and important bug fixes will
>> be backported from newer OpenSSL releases to the openssl-1.0.1e
>> baseline.  And this happens for the whole life cycle of each major
>> release.
>>
>> Sometimes even features are backported as well.  But I have gotten
>> fairly clear signals that TLSv1.3 from openssl-1.1 will not be
>> backported, as the code has changed too much since the 1.0.1 baseline.
>> But I would be surprised if a future RHEL 8 does not ship with
>> openssl-1.1.x
>>
>>
>> --
>> kind regards,
>>
>> David Sommerseth
>> OpenVPN Technologies, Inc
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot__
>> _
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[David Sommerseth]

On 17/02/17 22:59, Emmanuel Deloget wrote:
> I'm not targetting 2.4 -- my work is done on the current master. Adding
> hundreds of lines to the current 2.4 for the purpose of supporting a library
> which is not yet present on the user systems does not make much sense :)

Currently, master and release/2.4 are fairly close ... so it shouldn't
be too hard to cherry-pick stuff from master (which we usually prefer to
do).

With that said ... I know Fedora have OpenSSL v1.1 support on their wish
list for for OpenVPN [1] and I believe Arch Linux guys have also been
asking about this too.  So the more leading edge distros are moving
towards OpenSSL v1.1 as fast as possible

[1] 

Fedora is considering (and have builds ready) to temporarily switch to
mbed TLS, despite not being as feature rich as OpenSSL ... just to avoid
holding anything back.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Emmanuel Deloget]

Hello,

On Fri, Feb 17, 2017 at 6:42 PM, Gert Doering  wrote:
> Hi,
>
> On Fri, Feb 17, 2017 at 06:37:04PM +0100, Emmanuel Deloget wrote:
>> I guess the answer to the riddle is: "how long will the 2.4 branch
>> live?". v2.3 shipped in May 2013. If we assume that v2.4 will be the
>> stable branch for two more years (I cannot find any roadmap, so this
>> is pure speculation) then it might make sense for 2.5 to at least
>> remove support for OpenSSL v0.9.8 (it would have been EoL'd for 3
>> years by then).
>
> We have *plans* to release 2.5 faster than "it takes another 3 years",
> but we said so when planning 2.4 as well.

That's good to know :) Is there any roadmap available to the general public?

> Since David pointed out already that RHEL5 is going to be EOLed soon,
> I do not thing 0.9.8 is an important target anymore.  Depending on the
> amount of #ifdef etc., it might make sense to drop 0.9.8 support in
> 2.4, but only add 1.1 support to master/2.5 - we're early in the 2.4
> cycle, which allows "somewhat larger" changes, but 500+ insertions
> sounds like a bit too intrusive.

I'm not targetting 2.4 -- my work is done on the current master. Adding
hundreds of lines to the current 2.4 for the purpose of supporting a library
which is not yet present on the user systems does not make much sense :)

BR,

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Илья Шипицин]

Пт, 17 февр. 2017 г. в 22:21, David Sommerseth <
open...@sf.lists.topphemmelig.net>:

> On 17/02/17 17:35, Emmanuel Deloget wrote:
> >
> > Now, I have a question which is related to this. The way I'm doing
> > things, I will make sure that the new code is compatible with both
> > OpenSSL 1.0.x and OpenSSL 1.1. There is a good chance that it will be
> > compatible with version 0.9.8 as well, yet I can't stop wondering if
> > this is a good thing. OpenSSL 0.9.8 has been EoL'ed 12 month ago and I
> > believe it's OK to let it die. OpenVPN cannot rely on a dead SSL
> > library -- unless it wants to make sure that future vulnerabilities in
> > this old, deprecated version will affect it (and I'm not sure it's a
> > good thing). Same goes for OpenSSL 1.0.1 which has been declared out
> > of support in January 2017.
>
> TL;DR: You can drop support for OpenSSL v1.0.1d and older, but we must
> support v1.0.1e until at least June 30, 2024.




I added openssl-1.0.1e to test matrix (do not pay attention to commit
title, it happened accidently from iPad), so ...

https://travis-ci.org/OpenVPN/openvpn/jobs/202709493





>
>
> And now to why 
>
> One thing is what the upstream OpenSSL supports or not.  But there are
> commercial Linux vendors which maintains versions after upstream drops
> the support.  The most obvious Linux vendor here is Red Hat.
>
> We have had a policy that the oldest Linux distribution we support is
> what Red Hat officially supports [1].  We do not consider the "extended
> support" scenarios, as that is services customers needs to pay extra for
> (and is quite costly, AFAIR).  Currently, RHEL 5 (Red Hat Enterprise
> Linux 5) is the oldest supported distribution, so that is what we
> support.  But that support expires March 31, 2017.  So as of April 1st,
> 2017 RHEL 6 is the oldest distribution we support.
>
> With that said.  Since we released OpenVPN v2.4 fairly recently (late
> December), we have not considered or planned for a long-term RHEL 5
> support for that distribution, as that is going EOL very soon.
>
> [1]
>  >
>
>
> > I understand that I'm the new guy in town, but can you allow me to
> > make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
> > require at least version 1.0.2?
>
> So to the RHEL releases and the OpenSSL versions.  RHEL 5 ships with
> openssl-0.9.8e.  Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e.
>
> The way Red Hat releases works is that versions are close to never
> rebased, at least not core libraries such as OpenSSL.  But Red Hat
> employs a lot of users to ensure all packages they distribute is secure
> and maintained.  That means that security and important bug fixes will
> be backported from newer OpenSSL releases to the openssl-1.0.1e
> baseline.  And this happens for the whole life cycle of each major release.
>
> Sometimes even features are backported as well.  But I have gotten
> fairly clear signals that TLSv1.3 from openssl-1.1 will not be
> backported, as the code has changed too much since the 1.0.1 baseline.
> But I would be surprised if a future RHEL 8 does not ship with
> openssl-1.1.x
>
>
> --
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Matthias Andree]

Am 17.02.2017 um 17:35 schrieb Emmanuel Deloget:
> I understand that I'm the new guy in town, but can you allow me to
> make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
> require at least version 1.0.2?

1.0.1 has also gone out of support, and I propose to let the distros
sort out the upgrading and if someone needs to go forward with his
OpenVPN version to a future 2.5.0 that would no longer work with 1.0.1,
they could always add another newer OpenSSL package as well, possibly in
a separate prefix, say /opt/openssl102.

Note that I am not speaking on behalf of the project, just personally,
and that out of the way, since this code isn't likely going to be part
of a stable release,
I propose that it be only compatible back to supported OpenSSL versions,
i. e. 1.0.2 and 1.1.0.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Gert Doering]

Hi,

On Fri, Feb 17, 2017 at 06:37:04PM +0100, Emmanuel Deloget wrote:
> I guess the answer to the riddle is: "how long will the 2.4 branch
> live?". v2.3 shipped in May 2013. If we assume that v2.4 will be the
> stable branch for two more years (I cannot find any roadmap, so this
> is pure speculation) then it might make sense for 2.5 to at least
> remove support for OpenSSL v0.9.8 (it would have been EoL'd for 3
> years by then). 

We have *plans* to release 2.5 faster than "it takes another 3 years",
but we said so when planning 2.4 as well.

Since David pointed out already that RHEL5 is going to be EOLed soon,
I do not thing 0.9.8 is an important target anymore.  Depending on the
amount of #ifdef etc., it might make sense to drop 0.9.8 support in
2.4, but only add 1.1 support to master/2.5 - we're early in the 2.4
cycle, which allows "somewhat larger" changes, but 500+ insertions
sounds like a bit too intrusive.

> I must admit that the fact that I can build OpenVPN
> against a security-focused library that haven't seen any evolution/bug
> fix/security fix in one year makes me pretty shaky :)

Well, as far as I understand, at least the RHEL guys would backport
anything that shows up while RHEL5 is still supported...  (and since
they never change version numbers, this is/was the goal).

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Emmanuel Deloget]

Hello,

On Fri, Feb 17, 2017 at 5:41 PM, Gert Doering  wrote:
> Hi,
>
> On Fri, Feb 17, 2017 at 05:35:04PM +0100, Emmanuel Deloget wrote:
>> I understand that I'm the new guy in town, but can you allow me to
>> make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
>> require at least version 1.0.2?
>
> I'm not going to make a call on any of these versions, I just want
> to point out that we do need to (and *want* to) support older release
> of distributions that do not ship "most recent" OpenSSL versions yet.
>
> So we're somewhat caught in the middle between arch linux with 1.1.0
> and something like RHEL that ships seriously old OpenSSL (with patches).

My feeling is that RHEL6 and RHEL 7 are shipping v1.0.1 at least (both
updated the packages to 1.0.1e in March 2016). RHEL5 is still shipping
v0.9.8 (but then the installation of openvpn on RHEL 5 and Centos 5 is
fully manual as it seems there is no official packages for these
distrubutions). Of course, I might be wrong.

> This said, we need to regularily re-evaluate what the oldest distribution
> is that a given OpenVPN branch should support, and then we can drop support
> for older OpenSSL versions...

I guess the answer to the riddle is: "how long will the 2.4 branch
live?". v2.3 shipped in May 2013. If we assume that v2.4 will be the
stable branch for two more years (I cannot find any roadmap, so this
is pure speculation) then it might make sense for 2.5 to at least
remove support for OpenSSL v0.9.8 (it would have been EoL'd for 3
years by then). I must admit that the fact that I can build OpenVPN
against a security-focused library that haven't seen any evolution/bug
fix/security fix in one year makes me pretty shaky :)

>
> gert
>

BR,

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[David Sommerseth]

On 17/02/17 17:35, Emmanuel Deloget wrote:
> 
> Now, I have a question which is related to this. The way I'm doing
> things, I will make sure that the new code is compatible with both
> OpenSSL 1.0.x and OpenSSL 1.1. There is a good chance that it will be
> compatible with version 0.9.8 as well, yet I can't stop wondering if
> this is a good thing. OpenSSL 0.9.8 has been EoL'ed 12 month ago and I
> believe it's OK to let it die. OpenVPN cannot rely on a dead SSL
> library -- unless it wants to make sure that future vulnerabilities in
> this old, deprecated version will affect it (and I'm not sure it's a
> good thing). Same goes for OpenSSL 1.0.1 which has been declared out
> of support in January 2017.

TL;DR: You can drop support for OpenSSL v1.0.1d and older, but we must
support v1.0.1e until at least June 30, 2024.


And now to why 

One thing is what the upstream OpenSSL supports or not.  But there are
commercial Linux vendors which maintains versions after upstream drops
the support.  The most obvious Linux vendor here is Red Hat.

We have had a policy that the oldest Linux distribution we support is
what Red Hat officially supports [1].  We do not consider the "extended
support" scenarios, as that is services customers needs to pay extra for
(and is quite costly, AFAIR).  Currently, RHEL 5 (Red Hat Enterprise
Linux 5) is the oldest supported distribution, so that is what we
support.  But that support expires March 31, 2017.  So as of April 1st,
2017 RHEL 6 is the oldest distribution we support.

With that said.  Since we released OpenVPN v2.4 fairly recently (late
December), we have not considered or planned for a long-term RHEL 5
support for that distribution, as that is going EOL very soon.

[1]



> I understand that I'm the new guy in town, but can you allow me to
> make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
> require at least version 1.0.2?

So to the RHEL releases and the OpenSSL versions.  RHEL 5 ships with
openssl-0.9.8e.  Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e.

The way Red Hat releases works is that versions are close to never
rebased, at least not core libraries such as OpenSSL.  But Red Hat
employs a lot of users to ensure all packages they distribute is secure
and maintained.  That means that security and important bug fixes will
be backported from newer OpenSSL releases to the openssl-1.0.1e
baseline.  And this happens for the whole life cycle of each major release.

Sometimes even features are backported as well.  But I have gotten
fairly clear signals that TLSv1.3 from openssl-1.1 will not be
backported, as the code has changed too much since the 1.0.1 baseline.
But I would be surprised if a future RHEL 8 does not ship with openssl-1.1.x


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Gert Doering]

Hi,

On Fri, Feb 17, 2017 at 05:35:04PM +0100, Emmanuel Deloget wrote:
> I understand that I'm the new guy in town, but can you allow me to
> make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
> require at least version 1.0.2?

I'm not going to make a call on any of these versions, I just want
to point out that we do need to (and *want* to) support older release
of distributions that do not ship "most recent" OpenSSL versions yet.

So we're somewhat caught in the middle between arch linux with 1.1.0
and something like RHEL that ships seriously old OpenSSL (with patches).

This said, we need to regularily re-evaluate what the oldest distribution
is that a given OpenVPN branch should support, and then we can drop support
for older OpenSSL versions...

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Emmanuel Deloget]

Hello,

First, sorry for the inconvenience: this message is not attached to
the remaining of the discussion (I just joined the ML so I cannot
answer to a one week old message). That being said:

On Mon, Feb 13, 2017 at 08:17:58PM +0100, Christian Hesse wrote:
> Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN does not
> compile against this version. Did anybody start the work to support latest
> openssl versions?

I did (yesterday). So far, I made good progress on many front,
although I'm not sure the path I took is what you would expect.

One of the main change in OpenSSL 1.1 is that types are now opaque,
meaning that you need to access the internal fields using various
(mostly short) functions. For most of them, these functions has been
added to the API.

To make OpenVPN support OpenSSL, I decided to

  1. check whether the functions I need are in OpenSSL at configure
time. The function list is quite large.
  2. reimplement the missing functions as static inlines in an
openssl_compat.h header, using the OpenSSL prototypes.
  3. use the new interface in the OpenVPN code.
  4. when possible (i.e. when the interface already exists in OpenSSL
1.0), use this interface

The motivation behind this is to ease the porting of OpenVPN to a new
OpenSSL API -- if the code is already using the latest API, the next
changes are going to be less radical.

Having done 2/3 of the job, the patch set is about +900 insertion,
-200 deletion (or something like that). I still have a lot of things
to do and I should finish my first pass at the beginning of newt week.
I don't expect the patch set to be much longer than it already is.

Now, I have a question which is related to this. The way I'm doing
things, I will make sure that the new code is compatible with both
OpenSSL 1.0.x and OpenSSL 1.1. There is a good chance that it will be
compatible with version 0.9.8 as well, yet I can't stop wondering if
this is a good thing. OpenSSL 0.9.8 has been EoL'ed 12 month ago and I
believe it's OK to let it die. OpenVPN cannot rely on a dead SSL
library -- unless it wants to make sure that future vulnerabilities in
this old, deprecated version will affect it (and I'm not sure it's a
good thing). Same goes for OpenSSL 1.0.1 which has been declared out
of support in January 2017.

I understand that I'm the new guy in town, but can you allow me to
make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
require at least version 1.0.2?

Best regards,

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[David Sommerseth]

On 13/02/17 20:50, Christian Hesse wrote:
> And a lot more has to be done... There's a long list of packages to be
> fixed. Sadly openssl developers do not care about ABI and API stability
> or compatibility. :(

I do understand the frustration ... but lets be fair too.  OpenSSL v1.1
is considered a major upgrade from v1.0 and they don't guarantee API/ABI
stability across major upgrades.

And the v1.1 API does indeed try to clean up a lot of the API mess and
confusions.  So it is a move in the right direction.  I attended an
OpenSSL v1.1 talk at devconf.cz in the end of January this year, I'll
try to dig up the slides from Tomas Mraz who had the talk.  It was quite
informative why it was needed to break several APIs in v1.1.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Matthias Andree]

Am 13.02.2017 um 20:50 schrieb Christian Hesse:
> And a lot more has to be done... There's a long list of packages to be
> fixed. Sadly openssl developers do not care about ABI and API stability
> or compatibility. :(


Much frustration can be muttered and uttered about OpenSSL and more so
of its spin-offs such as LibreSSL, but this accusation is unjustified;
the API and ABI compatibility is one of the areas where OpenSSL's
documentation is adequate and transparent.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Christian Hesse]

On Mon, 13 Feb 2017 20:33:38 +0100
Gert Doering  wrote:
> On Mon, Feb 13, 2017 at 08:17:58PM +0100, Christian Hesse wrote:
> > Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN
> > does not compile against this version. Did anybody start the work
> > to support latest openssl versions?  
> 
> How does Arch deal with OpenSSH (which doesn't compile with 1.1.0
> either, at least "out of the repo")?

Good question... I am not responsible for the openssh package. Gaetan
has to deal with it.

And a lot more has to be done... There's a long list of packages to be
fixed. Sadly openssl developers do not care about ABI and API stability
or compatibility. :(
-- 
Best regards,
Chris

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Gert Doering]

Hi,

On Mon, Feb 13, 2017 at 08:17:58PM +0100, Christian Hesse wrote:
> Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN does not
> compile against this version. Did anybody start the work to support latest
> openssl versions?

How does Arch deal with OpenSSH (which doesn't compile with 1.1.0 either,
at least "out of the repo")?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel